Malicious PDF — malware analysis report

Static analysis result for SHA-256 1668c80dde20573f…

MALICIOUS

PDF

38.4 KB Created: 2020-09-02 15:52:35 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3431aa87d2f858eb68b1ad6a8a55337e SHA-1: 7dd42010a23e3add626ee9d814c7763ea8207cfb SHA-256: 1668c80dde20573f2c9b2fdbfcfe454c57ca15d4265a9c21b3b286ed6a820676
154 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a mass of external links, with one identified as a known malicious redirector. The document body, though heavily obfuscated, contains text related to traffic reports and includes the malicious URL. The ML classifier also strongly indicated maliciousness. The primary goal appears to be redirecting the user to malicious infrastructure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINK
    PDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://ttraff.club/wix?keyword=5+fwy+traffic+report
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://static.usrfiles.com/ugd/121e37_58c82cb5b54d4c319abe91224b0365b5.pdf
    • https://static.usrfiles.com/ugd/ab922d_dbbdaab9043e4774a942a6d753a4f8e0.pdf
    • https://static.usrfiles.com/ugd/d01287_8e9885972cc0403eb662f8c6eca3ced9.pdf
    • https://cdn.shopify.com/s/files/1/0434/1032/5671/files/21611641939.pdf
    • https://static.usrfiles.com/ugd/99a8f2_10e68a65b03b488b8e97e613e8524b4f.pdf
    • https://static.usrfiles.com/ugd/5438e3_f136800229d5478dbfdf9e2030e4526b.pdf
    • https://static.usrfiles.com/ugd/227d0f_20e05d119afb4955bcd656918c135d64.pdf
    • https://static.usrfiles.com/ugd/5e8de6_017a85e63ca9433b9a567104d1c07e19.pdf
    • https://static.usrfiles.com/ugd/4c76bf_04f07197dc85454a9e7b41fc0bb13e14.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005570.bin
6e5711e72e23c4a8612554c390645e100dbda6bf630306e90c4b36e6f504e730		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5570 5020 bytes
font_01_sfnt_off000066b6.bin
bbd520874fa75f70b079ebaacd9275bf1abaeca4a3135346ab4d9e3beecdfa58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66B6 11776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.